How do I report a vulnerability?

PLease notice that we do not answer support requests through the security email. For support rated queries, such as connectivity, incompatibility, or account related issues and questions, please contact our Support Team at: support@zenmate.com .

In a hurry? You can also find frequently asked questions and troubleshooting guides for instant self-support at ZenMate FAQs.

Rules

No unauthorized access of another individual's account or data.

No attacks that could affect the reliability / integrity of our services or data.

Please respect responsible disclosure - we will fix all valid issues as soon as we are able.

Only test for vulnerabilities on a domain owned by ZenMate. Some sites hosted on subdomains are operated by third parties should not be tested.

Don’t use scanners or automated tools to find vulnerabilities.

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Scope

All of the following ZenMate products :

Browser extensions for Chrome, Opera and Firefox.

Desktop VPN clients for Windows and OSX.

Mobile VPN clients for iOS and Android.

All ZenMate websites.

However, the following vulnerabilities are not eligible for acceptance:

Missing SPF or DMARC records.

HttpOnly and Secure cookie flags.

Clickjacking.

Rate limiting.

Account enumeration.

Session Hijacking (cookie reuse).

Anything else we will check as soon as possible!

Please Note...

If sending your report via a video, please ensure that it isn't hosted on a public platform such as YouTube.

We do not accept bugs that have already been submitted by another user, or that we are already aware of.

Vulnerabilities that ZenMate determines to be an accepted risk will not be eligable for acceptance.

If we validate and accept your report as being non-trivial, valid and not yet reported, we will add you to our Hall of Fame.